Pentester pops open Tesla Model 3 using low-cost Bluetooth module

Anything that uses proximity-based BLE is vulnerable, claim researchers

Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

In a real-life scenario, a victim could be in a building just out of range of their Tesla while standing near a crook with a relay gadget on them. This gadget relays signals from the victim's phone to the Tesla outside via another miscreant with a gadget, who jumps in and steals the unlocked vehicle.

In its testing, NCC Group said it was able to perform a relay attack that opened a Tesla Model 3 in which the vehicle's paired device was located in a house approximately 25 metres from the vehicle. Using phone-side and vehicle-side relaying devices made from $50 Bluetooth development modules, the team said it managed to gain full access to the Tesla when the vehicle-side relay was brought within 3 metres. 

While NCC only tested the attack on a Tesla Model 3, Sultan Khan, senior security researcher at NCC and the author of the advisory, said the technology used in the Tesla app is the same when connecting to a Model 3 or Y. Khan also theorized that Model 3 and Y key fobs were also likely affected, though those weren't tested either.

The advisory added:

As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.

A problem of keys

Tesla hasn't had a good history when it comes to security researchers finding ways to unlock its cars. In 2014, a group of Chinese university students managed an on a attack Model S that allowed them to open doors, sound the horn and more while the vehicle was in motion, and a second Chinese group did much the same in 2016. That same year, the Tesla app was exploited to allow attackers to track, locate, unlock and start vehicles. Two years later, Belgian researchers managed to clone Tesla keyfobs, giving them full control of the affected vehicle.

A problem of Bluetooth

At the same time NCC Group released its Tesla BLE relay advisory, it published a second advisory authored by Khan. In that advisory, he explains how NCC's novel method to hijack a Tesla works against anything relying on BLE to confirm the presence of an authorized user.

In the advisory, Khan states that BLE proximity relay attacks have been known about for years. Fortunately for fans of the protocol, existing relay attacks introduce too much latency. "Products commonly attempt to prevent relay attacks by imposing strict Generic Attribute Protocols (GATT) response time limits and/or using link layer encryption," Khan said. 

The tool developed by NCC Group for its research operates at the link layer, which Khan said reduces latency down to acceptable GATT ranges. By doing so, it's able to circumvent latency bounding and link layer encryption, Khan said. 

It's worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated "the Proximity Profile should not be used as the only protection of valuable assets," and additionally "there is currently no known way to protect against such attacks using Bluetooth technology."

Car owners should disable passive entry

Khan said that the Tesla Product Security team was notified in April of the flaw. Their response was that it was a known limitation of the passive entry system. 

Tesla owners concerned about a relay attack should use the PIN to Drive feature in their Tesla, as well as disabling passive entry:

Controls > Settings > Doors & Locks > Passive Entry > OFF

Khan also said adding checks like having the app report the device's last known location and time-of-flight ranging could protect owners, but that's on Tesla to fix, and Khan told Bloomberg the automaker said it has no plans to do so.

Because this attack potentially affects so many devices used to secure so many things, it's a serious issue. Khan said that Bluetooth SIG was notified of the flaw and it told him "more accurate ranging mechanisms are under development."

We've asked the Bluetooth SIG to tell us more about those mechanisms and their availability, but have yet to hear back. ®

Broader topics

Other stories you might like

  • Totaled Tesla goes up in flames three weeks after crash
    A pit and 4,500 gallons of water were needed to put it out

    A totaled Tesla Model S burst into flames in a Sacramento junkyard earlier this month, causing a fire that took "a significant amount of time, water, and thinking outside the box to extinguish," firefighters said. 

    The vehicle was involved in a comparably unexplosive accident that sent it to the junkyard three weeks ago – it's unclear what caused the Tesla to explode nearly a month after being taken off the road. Like other electric vehicle fires, it was very difficult to extinguish.

    "Crews knocked the fire down, but the car kept re-igniting and off-gassing in the battery compartment," the department said on Instagram. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022